FBI issues critical hack warning to Microsoft users - and wants them to do four specific things

If you use Microsoft 365 for work or personal emails, the FBI wants you to pay attention, because a new hacking tool can get into your account without ever needing your password.

The warning, issued by the FBI, flags a phishing platform called Kali365 that was first spotted in April.

It's being distributed through Telegram and is specifically designed to bypass multi-factor authentication, the extra layer of security most people rely on to keep their accounts safe.

In other words, even if you've done everything right, this can still get you.

What makes Kali365 particularly nasty is that it doesn't require any real technical skill to use. The tool does the heavy lifting for attackers, deploying AI-generated phishing lures and allowing criminals to target and track individuals in real time.

The warning, issued by the FBI on Thursday, flags a phishing platform called Kali365 that was first spotted in April (Getty stock image)

How the scam works

It starts with a phishing email pretending to be from a legitimate source, typically something familiar like a document sharing service.

The email contains a device code and instructions to visit a genuine Microsoft verification page and enter it.

Here's the trap: the Microsoft page you're sent to is real. But by entering that code, you're unknowingly authorising the attacker to access your account.

From that point, they can capture authorization tokens that hand them full access to your Microsoft 365 suite, your Outlook emails, Teams messages and OneDrive files, without ever needing your password or triggering your two-factor authentication.

By the time you realize something is wrong, they're already in.

The FBI has issued four specific recommendations to protect yourself from a Kali365 attack (Getty stock)

The four things the FBI wants you to do right now

The FBI has issued four specific recommendations to protect yourself from a Kali365 attack:

• Create a conditional access policy that blocks all users from device code flow, with limited exceptions.
• Check who currently has access to code flow usage and make sure every single one of them is legitimate.
• Block the ability for users to transfer authentication from computers to mobile devices.
• Exclude emergency access accounts to prevent lockouts.

Microsoft said they are: "actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers." (Getty stock image)

What Microsoft says

A Microsoft spokesperson has backed the FBI's guidance and added a few extra steps of their own, according to Nexstar.

Learn to spot phishing attempts before you fall for them in the first place. Don't open files from unknown senders, which could download malware onto your device. And make sure your operating system and all applications are fully updated with the latest security patches.

The company added it is 'actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers'.

The bottom line: if you got an unexpected email recently asking you to enter a code into a Microsoft page, it's worth checking whether your account has been compromised, and running through the FBI's checklist regardless.